Security Experts:

New Drive Wiping Malware Surfaces in Iran

Researchers at Symantec and Kaspersky Lab have confirmed the existence of malware that does nothing more than wipe the drive of the host where it is installed. Circulating in low numbers, the malware, named Batchwiper by Symantec, has only been seen in Iran thus far, but does not appear to be related to Stuxnet, Duqu, or Flame.

According to Iran’s CERT, which first reported the threat, the malware wipes files on different drives in various predefined times.

“The samples are not sophisticated and will wipe any drives starting with the drive letters D through I, along with files on the currently logged-in user’s Desktop. After deletion, the threat will then run Chkdsk on the drives,” Symantec explained in a blog post.

Kaspersky Lab's Roel Schouwenberg agrees. "This is an extremely simplistic attack," Schouwenberg noted in a blog post. "In essence, the attacker wrote some BAT files and then used a BAT2EXE tool to turn them into Windows PE files. The author seems to have used (a variant of) this particular BAT2EXE tool."

Thanks to Iran’s CERT, Symantec was able to get samples of the malware and confirm what it does. In addition, the samples from Iran’s CERT were made available to other AV operations, and as such, the detection for Batchwiper went from nearly nothing, to a majority of the security products on the market.

Unfortunately, this does nothing for systems in Iran or other areas where there is no such protection available.

In addition to confirming what the malware does, Symantec also rooted out the destructive dates where data is removed. According to the time clock, 2012’s dates have passed. However Batchwiper will activate again for three days in January (21-23), May (06-08), July (22-24), and November (11-13) next year. There are also dates for 2014 and 2015 accounted for.

"Other than the geographic region there doesn't seem to be any commonality with this file-deleting malware and the previous attacks we've seen," Schouwenberg added. "This is as basic as it gets. But if it was effective that doesn't matter. If it wasn't clear already - the era of cyber-sabotage has arrived. Be prepared."

Subscribe to the SecurityWeek Email Briefing
view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.